1 Cloud Services and Business Process Outsourcing What security concerns surround Cloud Services and Outsourcing? Prepared for the Western NY ISACA Conference April
2 Presenter Kevin Wilkins, CISSP Chief Technology Officer, isecure LLC Kevin Wilkins is the Chief Technology Officer (CTO) at isecure LLC. Mr. Wilkins oversees the implementations of Network Security product portfolios specializing in the heavily regulated environments such as PCI, SOX, HIPPA/HITECH. Mr. Wilkins has been in the IT industry since 1998 and has had extensive operational experience in Network Engineering, Systems Administration, Telecommunications, and Information Security.
3 Abstract Businesses have been outsourcing various processes and services for many years. Recently, IT services and applications have been moved to "The Cloud". What are the benefits and risks in utilizing outside parties vs. direct hires and internal infrastructure? What are some considerations in making a move to The Cloud safely?
4 Audience Corporate/Information Security Officers Business Managers IT Administrators
5 What is Outsourcing in general? Take a business process - anything really - and pay a outside party to help. Strictly Business Examples: Accountancy, Legal, Personnel and Hiring. IT Examples: Voice Communications, WAN Management, , Web Hosting, Public DNS, CRM, Data Backups, Data Storage and Accessibility.
6 Why Outsource? Outsourcing allows a company to focus on their core competencies without requiring the specialized IT knowledge and infrastructure be maintained in-house. While you specialize in manufacturing, or finance, an outside party can specialize in the business support services you need. Consultants can work on an as-needed basis instead of carrying the expense of a full-time hire.
7 Why Outsource? Outsourcing a business function can introduce better scalability and elastic resources. There is an economic advantage in sharing a larger system. Capital expense related to equipment purchases and maintenance can be converted to a monthly payment covering exactly what you need.
8 What is The Cloud? The Cloud usually applies to the outsourcing of IT Operations. The Cloud generally means obtaining Data Handling or Application Delivery from an outside party. The other common Silos of Infrastructure and People are often involved. This relates to the 3 rd party management of on-site systems and network components.
9 Is The Cloud new? Only in name! PBX/Telephone functions have been outsourced via Centrex and VOIP. Traditional ISPs have hosted , Web Hosting, DNS, etc. for decades. There has been a shift to ISPs specializing on Communications Infrastructure while letting others specialize on the Application and Data side.
10 I'm pretty sure The Cloud is new. OK, so it is. The variety, accessibility, and scalability of IT functions which can be outsourced continues to grow. The variety of business operations that can push their Data and Applications to a Hosted environment also grows.
11 Great, I want it! Cool, but did you ask your CSO?
12 Our friendly CISSP says that good security is centered around the following Confidentiality Is your data private? Integrity Is your data intact, and protected from modification, damage or destruction? Availability Can you use your data or application where and when you need it?
13 What are some concerns with Outsourcing? Other People have access to your Data - how are they held accountable for it? This might include Accounting Data, Customer Contacts, Strategic Information, Trade Secrets, and Sensitive Communications. This might also include access to your Network and Internal Systems in the case of Managed Services.
14 What are some concerns with Cloud Service providers? Cloud Based data and applications may be globally accessible to remote workers, but also exposed to attack by outside parties. Can the Cloud Service send you security logs and reports in regards to access attempts and failures, and notify you in the event of an attack or a breach?
15 What are some concerns with Cloud Service providers? Does your Cloud service support Data Loss Prevention (DLP) functionality? What if the data is lost (as in destroyed) or disclosed (stolen or leaked) to unauthorized parties?
16 What are some concerns with Cloud Service providers? The Data and Applications are off-site, which could lead to Accessibility issues if your Internet connections go down. What happens if the entire Cloud Service provider were to go out of business?
17 Data Ownership in The Cloud Some Cloud Services claim ownership or usage rights to your data. For example, YouTube will claim rights to repackage, distribute, or sell anything you upload for their own benefit. Amazon Web Services explicitly protects your rights to your intellectual property in their EULA. What happens to data when an employee buys a Cloud Service for your company, but uses a personal credit card and identity information to set up the account? What happens if this account is used to host Company data, but the employee leaves the Company?
18 Mobility and BYOD As previously mentioned, moving data to Cloud Service can simplify access by remote workers. Remote Access can be related to Mobile Access, but that s a different presentation! And don t get me started on Bring Your Own Device (BYOD) The relationships of BYOD, Mobile, and Cloud can be discussed during Q/A at the end of this presentation.
19 Jeez, what else? Many cloud providers will limit their liability in the event of downtime, data loss, or compromise. The ability to directly manage a service outage is limited. You can call support, but often answers are not forthcoming. This can be frustrating, especially if a critical service is offline. The ability to customize may be limited. It Is What It Is. You may only see new capabilities as part of the Cloud Service providers development roadmap, not your own requirements.
20 What can be done internally to mitigate security concerns when Outsourcing? Maintain a local backup copy of your data. Have Business Continuity and Disaster Recovery plans if the Cloud service suffers a serious issue. Prepare a Cloud Exit Strategy including a process, hardware / software manifest, and projected costs.
21 What can be done to secure your data that s been entrusted to outside parties and accessible via Public Internet? Crypto fairy-dust goes a long way. There are 3 rd party solutions on the market that can encrypt your data in transit to a Cloud based provider and provide decryption services when the data is retrieved.
22 What can be done to secure your data that s been entrusted to outside parties and accessible via Public Internet? Some Cloud providers provide encryption of Customer data while in storage and in use, and provide ability for the Customer to control the encryption keys. This provides an assurance that employees of the Cloud provider or other outside parties cannot read your data.
23 What can be done to secure your data that s been entrusted to outside parties and accessible via Public Internet? Single Sign On (SSO) can tie independent Cloud Provider authentication mechanisms into a single login associated with your Active Directory system. This greatly simplifies password management. SSO service providers can also extend the functionality of a Cloud Provider with additional security controls (Time of Day, Geographical ID, DLP, Device Restrictions) and auditing.
24 How can a relationship with a Cloud-based provider be managed in order to limit risk? Consider a requirement that the Cloud Service provider release your data in a common and portable format on demand. Avoid vendor lock-in. Easy access to raw data may also prove important when dealing with legal and e-discovery issues. Ensure that the Cloud Service provider has the required level of compliance and governance for the security of your data.
25 How can a relationship with a Cloud-based provider be managed in order to limit risk? Ensure that the Cloud Service provider has a Business Continuity Plan and Disaster Recovery strategy with stated Service Level Agreements for restoration or customer compensation/remedy. Read the EULAs and Contracts very carefully. If the stakes are high, try to negotiate the terms.
26 How can a relationship with a Cloud-based provider be managed in order to limit risk? Depending on the level of exposure, treat Outsourced and Cloud Services providers like any other business partner. Perform as much vetting as you might give an accountant or lawyer. Consider a Bonded agreement to ensure proper care and accountability, or verification of an insurance policy to cover potential losses. Consider requiring 3 rd party audits of a Cloud Service provider s practices.
27 A Scary Story Nirvanix, a cloud-storage company, announces a termination of operations. Customers had two weeks to move their data. Uploads were disabled immediately. This affects both independent customers as well as strategic partnerships with IBM SmartCloud and other major players such as Dell, HP, and Symantec.
28 A Scary Story An outside company providing HVAC management services was implicated in the Target breach. The HVAC company had been granted excessive access to Target s network. When their own systems and credentials had been compromised, Target was left vulnerable. Do we blame Target, or the HVAC company?
29 Some thoughts regarding Over- Dependence on Outsourcing Outside consultants and managed service providers may not have the same personal investment in an organization versus a full-time employee. To an outsourcing provider, you are just another customer while an employee s dedication and behavior has a direct impact on himself, his company, and his fellow employees.
30 Some thoughts regarding Over- Dependence on Outsourcing An outside consultant, MSP, or Cloud Service provider might not have the desire or latitude to go the extra mile. Contractual agreements might prohibit a 3 rd party employee from providing assistance not defined in the SLA without approval from management. This is due to both pricing and liability concerns.
31 Some thoughts regarding Over- Dependence on Outsourcing An over dependence on outsourcing can result in a braindrain within your own organization. A day might come when you have insufficient technical knowledge within your organization to effectively manage a vendor, understand the service they offer, and deal with integration issues. This is compounded when interoperability issues occur between your multiple service providers.
32 I get it. You hate The Cloud. No. The Cloud is cool and can make your life easier. But Cloud Service is a buzzword and providers make it very easy to launch into. When there are problems, it s a long way down. When properly managed, you can achieve economical access to specialized and scalable services while maintaining operational stability and security of data.
33 In Summary Business Process Outsourcing and use of Cloud Services has proven benefits and is common practice. Conduct careful planning regarding how services will be used, how to manage problems, and build policies defining what data is acceptable for use in The Cloud. Structure your agreements with Cloud Service partners in such a way that carries assurances of accountability, liability, compliance, ownership, and smooth disengagement when the term of service has ended.
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
Protection as a Priority TM Keep Your Data Secure in the Cloud to ensure your online data is protected from compromise Abstract The headlines have been dominated lately with massive data breaches exposing
What Every User Needs To Know Before Moving To The Cloud LawyerDoneDeal Corp. What Every User Needs To Know Before Moving To The Cloud 1 What is meant by Cloud Computing, or Going To The Cloud? A model
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services email@example.com April 23, 2012 Overview Technology
Cloud Computing What is Cloud Computing? Cloud computing is where the organization outsources data processing to computers owned by the vendor. Primarily the vendor hosts the equipment while the audited
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
HIPAA COMPLIANCE AND DATA PROTECTION firstname.lastname@example.org +39 030 201.08.25 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and EagleHeaps
Ohio Supercomputer Center IT Business Continuity Planning No: Effective: OSC-13 06/02/2009 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original
Belmont Savings Bank Are there Hackers at the gate? 2013 Wolf & Company, P.C. MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2013 Wolf & Company, P.C. About Wolf & Company, P.C.
CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential
Four Things You Must Do Before Migrating Archive Data to the Cloud The amount of archive data that organizations are retaining has expanded rapidly in the last ten years. Since the 2006 amended Federal
Debunking Security Concerns with Hosted Call Centers TABLE OF CONTENTS Executive Summary The Changing Call Center Landscape Identifying and Mitigating Security Risks a. Data b. Applications c. Disaster
INFORMATION STRATEGY Session 11 : (additional) Cloud Computing Advantages and Disadvantages Tharaka Tennekoon B.Sc (Hons) Computing, MBA (PIM - USJ) POST GRADUATE DIPLOMA IN BUSINESS AND FINANCE 2014 Cloud
CUSTOMER CASE STUDIES: HIPAA COMPLIANT HOSTING At Connectia, integrity is everything. From our people to your data, we embrace integrity as our hallmark. That s why healthcare organizations, healthcare
Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
Building an Excellent Relationship with your Cloud-Based Contact Center Infrastructure Vendor April 2014 Sponsored by: - 1 - DMG Consulting LLC Table of Contents Introduction... 1 Cloud-Based Contact Center
Cloud Computing for Small to Mid Size Businesses Tech66, LLC William Burleson email@example.com www.tech66.com Why Tech66 and the Cloud? You want to focus on your core business, not on running your IT infrastructure
Adopting Cloud Computing with a RISK Mitigation Strategy TS Yu, OGCIO 21 March 2013 1. Introduction 2. Security Challenges Agenda 3. Risk Mitigation Strategy Before start using When using 4. Policy & Guidelines
iconnect Cloud Archive System Overview Security and Managed Services iconnect Cloud Archive (formerly known as Merge Honeycomb ) iconnect Cloud Archive offers cloud-based storage for medical images. Images
BRING YOUR OWN DEVICE Protecting yourself when employees use their own devices for business Bring Your Own Device: The new approach to employee mobility In business today, the value put on the timeliness
Building a Future- Proof Business: The Ultimate Guide to Moving Your Business to the Cloud Fluid IT Services 5601 Democracy Drive, Suite 265 Plano, TX 75024 Phone: (866) 523-6257 firstname.lastname@example.org
7 Reasons Why Data Center Customers Should Outsource Disaster Recovery By Global Data Vault Information Technology (IT) operations teams, whether inside the organizations they serve or working as service
White Paper HIPAA Compliance for the Wireless LAN JUNE 2015 This publication describes the implications of HIPAA (the Health Insurance Portability and Accountability Act of 1996) on a wireless LAN solution,
Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the
Can SaaS be your strategic advantage in building software? Presented by: Paul Gatty, Director of World Wide Operations Topics What is SaaS? How does SaaS differ from managed hosting? Advantages of SaaS
Module 1: Facilitated e-learning CHAPTER 3: OVERVIEW OF CLOUD COMPUTING AND MOBILE CLOUDING: CHALLENGES AND OPPORTUNITIES FOR CAs... 3 PART 1: CLOUD AND MOBILE COMPUTING... 3 Learning Objectives... 3 1.1
Security CLOUD VIDEO CONFERENCING AND CALLING Whitepaper October 2015 Page 1 of 9 Contents Introduction...3 Security risks when endpoints are placed outside of firewalls...3 StarLeaf removes the risk with
Cloud Computing Benefits and Risks Bill Wells, CISSP, CISM, CISA, CRISC, CIPP/IT email@example.com 10/3/2012 1 Let s make sure we re all talking about the same thing. WHAT IS CLOUD COMPUTING?
Your Guide to Cost, Security, and Flexibility What You Need to Know About Cloud Backup: Your Guide to Cost, Security, and Flexibility 10 common questions answered Over the last decade, cloud backup, recovery
Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,
Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version
WHITE PAPER: DON'T WAIT UNTIL IT'S TOO LATE: CHOOSE NEXT-GENERATION................. BACKUP........ TO... PROTECT............ Don't Wait Until It's Too Late: Choose Next-Generation Backup to Protect Your
Things You Need to Know About Cloud Backup Over the last decade, cloud backup, recovery and restore (BURR) options have emerged as a secure, cost-effective and reliable method of safeguarding the increasing
WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY? Contents Introduction.... 3 What Types of Network Security Services are Available?... 4 Penetration Testing and Vulnerability Assessment... 4 Cyber
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
Governance of Outsourced IT Services Donna Hutcheson, CISA Information Technology Audit Director Energy Future Holdings Corp. Topics Covered in This Session Common failures in governing outsourced IT services
How cloud computing can transform your business landscape Introduction It seems like everyone is talking about the cloud. Cloud computing and cloud services are the new buzz words for what s really a not
Cloud models and compliance requirements which is right for you? Bill Franklin, Director, Coalfire Stephanie Tayengco, VP of Technical Operations, Logicworks March 17, 2015 Speaker Introduction Bill Franklin,
What you need to know about cloud backup: your guide to cost, security, and flexibility. 8 common questions answered Over the last decade, cloud backup, recovery and restore (BURR) options have emerged
Adobe Digital Publishing Suite Security FAQ Adobe Digital Publishing Security FAQ Table of contents DPS Security Overview Network Service Topology Folio ProducerService Network Diagram Fulfillment Server
FormFire Application and IT Security White Paper Contents Overview... 3 FormFire Corporate Security Policy... 3 Organizational Security... 3 Infrastructure and Security Team... 4 Application Development
INTERSYSTEMS WHITE PAPER Why You Should Consider the Cloud In 2014, we ll see every major player make big investments to scale up Cloud, mobile, and big data capabilities, and fiercely battle for the hearts
White Paper Cloud vs. Colo: Colo Wins on 4 out of 5 Key Criteria of new security threats, hacking attacks and data breaches every week. Couple that with major service interruptions and outages experienced
A COALFIRE PERSPECTIVE Moving to the Cloud A Summary of Considerations for Implementing Cloud Migration Plans into New Business Platforms NCHELP Spring Convention Panel May 2012 DALLAS DENVER LOS ANGELES
Cloud Computing Secured Thomas Mitchell CISSP A Technical Communication Abstract With the migration to Cloud Computing underway in many organizations IT infrastructure, this will cause a paradigm shift
Thought Leadership White Paper Cloud Computing Cloud Security Who do you trust? Nick Coleman, IBM Cloud Security Leader Martin Borrett, IBM Lead Security Architect 2 Cloud Security Who do you trust? Cloud
WHITE PAPER HIPAA-Compliant Data Backup and Disaster Recovery DOCUMENT INFORMATION HIPAA-Compliant Data Backup and Disaster Recovery PRINTED March 2011 COPYRIGHT Copyright 2011 VaultLogix, LLC. All Rights
YubiCloud OTP Validation Service Version 1.2 5/12/2015 Introduction Disclaimer Yubico is the leading provider of simple, open online identity protection. The company s flagship product, the YubiKey, uniquely
Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org 1 Disclaimers This presentation provides education on Cloud Computing and its security
White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.
A COALFIRE PERSPECTIVE Top 10 Risks in the Cloud by Balaji Palanisamy, VCP, QSA, Coalfire March 2012 DALLAS DENVER LOS ANGELES NEW YORK SEATTLE Introduction Business leaders today face a complex risk question
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
Cloud security: A matter of trust? Dr Mark Ian Williams CEO, Muon Consulting I wandered lonely as a cloud... The academic, globe-trotting years: 1992 1993: Parallel software for PET scanner images in Geneva
Standard: Information Security Incident Management Page 1 Executive Summary California State University Information Security Policy 8075.00 states security incidents involving loss, damage or misuse of
THE PERSPECSYS KNOWLEDGE SERIES Solving Privacy, Residency and Security in the Cloud Data Compliance and the Enterprise Cloud Computing is generating an incredible amount of excitement and interest from
THE SECURITY OF HOSTED EXCHANGE FOR SMBs In the interest of security and cost-efficiency, many businesses are turning to hosted Microsoft Exchange for the scalability, ease of use and accessibility available
Protecting Your Business Network: A Guide to Ensuring Security and Resiliency Even as major news outlets continue to report new stories about massive security breaches at the world s largest companies,
Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services Introduction Patient privacy continues to be a chief topic of concern as technology continues to evolve. Now that the majority
Applying Cryptography as a Service to Mobile Applications SESSION ID: CSV-F02 Peter Robinson Senior Engineering Manager RSA, The Security Division of EMC Introduction This presentation proposes a Cryptography
Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and
A.R. Number: 2.6 Effective Date: 2/1/2009 Page: 1 of 7 I. PURPOSE In recognition of the critical role that electronic information systems play in City of Richmond (COR) business activities, this policy
Public Cloud Service Agreements: What to Expect & What to Negotiate April 2013 The Cloud Standards Customer Council THE Customer s Voice for Cloud Standards! Provide customer-led guidance to the multiple
MAJOR FINANCIAL SERVICES LEADER Top 5 Global Bank Selects Resolution1 for Cyber Incident Response. Automation and remote endpoint remediation reduce incident response (IR) times from 10 days to 5 hours.
Cloud Computing Chapter 10 Disaster Recovery and Business Continuity and the Cloud Learning Objectives Define and describe business continuity. Define and describe disaster recovery. Describe the benefits
Securely Yours LLC IT Hot Topics Sajay Rai, CPA, CISSP, CISM firstname.lastname@example.org Contents Background Top Security Topics What auditors must know? What auditors must do? Next Steps [Image Info]
ArkivumLimited R21 Langley Park Way Chippenham Wiltshire SN15 1GE UK +44 1249 405060 email@example.com @Arkivum arkivum.com The Benefits of Archiving and Seven Questions You Should Whitepaper 1 / 6 Introduction
CyberSource Payment Security Compliance The PCI Security Standards Council has published guidelines on tokenization, providing all merchants who store, process, or transmit cardholder data with guidance
APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST Application Name: Vendor Name: Briefly describe the purpose of the application. Include an overview of the application architecture, and identify the data
What you need to know about cloud backup: your guide to cost, security, and flexibility. 8 common questions answered Over the last decade, cloud backup, recovery and restore (BURR) options have emerged
CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE October 2, 2013 By: Diane M. Gorrow Soule, Leslie, Kidder, Sayward & Loughman, P.L.L.C. 220 Main Street
Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture 2 Data Security and Privacy Principles for IBM SaaS Contents 2 Introduction
21 Point Checklist for SELECTING AN ENTERPRISE-READY CLOUD SERVICE Brought to you by Introduction The journey to the cloud is well underway, and it s easy to see why when 84% of CIOs report cutting application
Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare
Abstract Achieving success for today s compliance professional is both tougher and easier than ever. On one hand, there are more regulations and standards at almost every level, on the other, there are